Friday, January 4, 2013

Secure Rancid ViewVC with LDAP authentication

Now that I have a working Rancid install, I wanted to secure the ViewVC web site requiring that users authenticate before being able to see the repository contents.  ViewVC doesn’t have any authentication facilities built into it, but you can use the authentication facilities provided as a part of Apache.
On my CentOS 6.3 install, all of the necessary LDAP authentication modules were already installed and running.  I just needed to define the LDAP connection attributes as well as defining the users I want to be able to authenticate. 
I am using LDAPs on port 636 for my authentications so no credentials are going over the network in cleartext.  The first step to configure this is to create a key pair to use to connect to the Domain Controller over SSL.  I am storing my certificates in /etc/httpd/certificate, but you can store them wherever you like.
  • openssl genrsa 2048 > ldap.key
  • openssl req –new –x509 –nodes –sha1 –days 1825 –key ldap.key > ldap.cer
I specified –days 1825 in the certificate generation command so that the certificate would be good for 5 years.  You can specify any number you like, I just didn’t want to have to remember to renew the cert.
Once the certificates are created, we need to configure Apache.
  • nano /etc/httpd/conf/httpd.conf
In the main config file outside of any Directory or VirtualHost directives, you need to add the following:
  • LDAPVerifyServerCert off
  • LDAPTrustedMode SSL
  • LDAPTrustedGlobalCert CERT_DER /etc/httpd/certificate/ldap.cer
  • LDAPTrustedGlobalCert KEY_DER /etc/httpd/certificate/ldap.key
In the VirtualHost directive we defined for ViewVC, you need to add the following.  Active Directory does not allow anonymous LDAP lookups by default, so you’ll need a user account that can be used to authenticate for lookups.  That user is specified in AuthLDAPBindDN.  The users specified in Require ldap-user are the user accounts allowed to access ViewVC.  I didn’t try it, but I believe this can also be limited to groups with “Require ldap-group “.
<Location "/viewvc">
    AuthType Basic
    AuthName "Login, Please"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative on
    AuthLDAPBindDN "cn=rancid,cn=Users,dc=mydomain,dc=com"
    AuthLDAPBindPassword mypassword
    AuthLDAPURL “ldaps://mydc.mydomain.com:636/dc=mydomain,dc=com?sAMAccountName?sub?”SSL
    Require ldap-user admin1 admin2 admin3
</Location>

Once you’ve saved those changes, you can restart Apache and test that LDAP Auth is working.  Mine worked, but gave me a HTTP 500 error.  I set logging in httpd.conf to debug, and tried to authenticate again.  That gave me the error message
[Fri Jan 04 10:48:37 2013] [info] [client x.x.x.x] [14711] auth_ldap authen
ticate: user myuser authentication failed; URI /viewvc [ldap_search_ext_s() for
user failed][Operations error]
Googling the error led me to an issue with the way that the RedHat apache package is handling authentication referrals.  The fix was to edit /etc/openldap/ldap.conf and add the line:
REFERRALS off
Once I did that, I was able to successfully authenticate and get into ViewVC.
These links were helpful to me in figuring all of this out:
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginSiteProtection.html
http://acksyn.org/?p=227

Wednesday, January 2, 2013

Using Rancid to backup your configs (Part 3)

If you've followed parts 1 and 2 of this guide, you should have a working Rancid installation with a web interface for CVS.  Now we'll configure email notifications and device polling based on configuration changes made those devices.  I use postfix to send mail notifications, and Simple Event Correlator to trigger Rancid when config changes are made. 
Let’s configure postfix first.  In my environment, this was pretty simple.  We are using Cisco IronPort appliances as mail gateways.  I configured my Rancid box as host allowed to send through the IronPort.  Once that was done, I just needed to configure postfix to use the IronPort as a relay.  You should be able to use other mail systems (e.g. Exchange)  in the same way.
To do that, edit the file /etc/postfix/main.cf.
  • nano /etc/postfix/main.cf
Change the lines that start with relayhost.
  • relayhost = mydomain.oom
  • relayhost = FQDN or ip address of your gateway
Start postfix and test your config.
  • service postfix start
  • telnet localhost 25
  • ehlo mail
  • mail from: rancid@mydomain.com
  • rcpt to: brian.gill@mydomain.com
  • data
  • Subject: Testing postfix
  • Just testing postfix.
  • .
  • quit
There will be feedback to each of those commands, it should look something like this:
[root@rancid]# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 rancid.mydomain.com ESMTP Postfix
ehlo mail
250-rancid.mydomain.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: rancid@mydomain.com
250 2.1.0 Ok
rcpt to: brian.gill@mydomain.com
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
subject: Testing postfix
Just testing postfix.
.
250 2.0.0 Ok: queued as 8EF87C0F28
quit221 2.0.0 Bye
Connection closed by foreign host.

If your gateway is configured correctly, you should get a message in your inbox.  If not, the postfix logs at /var/log/ may provide clues to the problem, as well as the logs on your mail system.
Now we can configure triggers based on configuration changes on your devices.  I am monitoring our Cisco routers, so I’ll walkthrough configuring the routers and SEC for Cisco.
We need to install Simple Event Correlator. 
  • yum install sec
We need to configure SEC to look for the configuration change syslog messages.
  • nano /etc/sec/cisco_config_change.sec
We need to define the message to look for as well as the action to take when a syslog comes in showing a configuration change was made.  The following looks for Cisco syslogs indicating a configuration change was made.  Once the change is detected, the action is triggered.  In this case, Rancid is run to check the configs.
type=Single
ptype=substr
pattern=%SYS-5-CONFIG_I:
desc=device configuration
action=shellcmd /bin/su - rancid -c /usr/local/rancid/bin/rancid-run

With the action above, Rancid will run every time a config change is made.  Alternately, SEC can be configured to only trigger the event every x seconds.  Simply change type=SingleWithSuppress and add the line window=x where x is the number of seconds between triggers.  For example, if you used 360, the action would only be fired if 360 seconds (5 minutes) had passed since the last trigger.
The firewall has to be modified to allow the syslog daemon to listen for the messages.

  • nano /etc/sysconfig/iptables
  • -A INPUT  -m state --state NEW –m udp –p udp –-dport 514 –j ACCEPT
  • service iptables restart
Lastly, we need to configure the device to send syslog messages to Rancid.
  • Router(config)# logging on
  • Router(config)# logging ip-address-of-rancid
That’s all there is to it.  You should now have a working Rancid installation with a SSL web interface that polls your devices on a regular basis as well as when changes are made.  Next on my list is configuring the server to require a log in on the web interface based on our Active Directory.  I’ve been able to get Apache to require the log in and successfully authenticate against AD, but ViewVC doesn’t like the authenticated sessions.  Once I have time to figure it out, I’ll post about it.